New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Kaspersky has detailed the activity of ToddyCat, a relatively new advanced persistent threat (ATP) actor that has been targeting high-profile entities in Europe and Asia for more than a year and a half.

Focused on government organizations and military entities, including military contractors, ToddyCat is mainly characterized by the use of the Samurai backdoor and the Ninja trojan, two previously unknown malware families that provide the attackers with remote control over the infected systems.

The first ToddyCat attacks were observed in December 2020, when the threat actor was mainly focused on the servers of three organizations in Taiwan and Vietnam. Starting late February 2021, however, the adversary started targeting multiple organizations in Europe and Asia, exploiting the ProxyLogon Microsoft Exchange vulnerability for initial access.

According to Kaspersky, the group might have exploited ProxyLogon between December 2020 and February 2021 as well, given that it was targeting Exchange servers for initial compromise. The attackers were deploying a China Chopper web shell onto the compromised machines.

After gaining access to vulnerable Exchange servers, ToddyCat would deploy Samurai, a passive backdoor that communicates over ports 80 and 443 and which supports code execution.

Courtesy of its modular architecture, the malware allows the attackers to remotely control the infected machine, exfiltrate files, start proxy connections, and move laterally. The backdoor also employs obfuscation and various other techniques to avoid detection and to hinder analysis.

In some cases, the backdoor was used to launch Ninja, a trojan that could be part of an unknown post-exploitation toolkit exclusive to ToddyCat. Loaded directly in memory, the malware appears to function as a collaborative tool that enables multiple attackers to control the same machine simultaneously and provides support for a broad range of commands.

Based on received instructions, the threat can enumerate and manage running processes, manage the file system, start reverse shell sessions, inject code into processes, load additional modules, and provide proxy functionality. Ninja can also be configured to communicate over multiple protocols and packs various anti-detection features.

Another interesting characteristic of the trojan is a ‘working time’ feature, which allows the attackers to set it to work only within a specific time frame, which helps it avoid detection by behavior-based solutions.

Kaspersky says it has observed numerous ToddyCat campaigns to date, and that starting September 2021, the attackers have been targeting desktop systems in Central Asia with a new set of loaders for the Ninja trojan. The group’s activity continues.

While initial ToddyCat attacks targeted government entities in Taiwan and Vietnam, the group was later observed exploiting the ProxyLogon vulnerability to target entities in Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, and Uzbekistan.

Although it does not appear connected to other APT groups, ToddyCat’s targets are in countries and industries typically targeted by Chinese-speaking groups. What’s more, Kaspersky discovered that a Chinese-speaking APT using the FunnyDream backdoor had compromised three organizations at the same time as ToddyCat.

However, Kaspersky doesn’t want to merge the ToddyCat and FunnyDream clusters for the time being, mainly given the high profile of the victims, which are undoubtedly of interest to multiple APTs, but also because there’s no evidence that the malware families used by the two groups are interacting with one another.

“ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile. During our investigations we discovered dozens of samples, but despite the number of files and the duration of their activities, we were unable to attribute the attacks to a known group; and there is also quite a bit of technical information about the operations that we don’t have,” Kaspersky concludes.

Related: FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels

Related: Chinese Hackers Spotted Targeting Transportation Sector

Related: Report: Chinese Hackers Targeted Southeast Asian Nations